2 Answers
2

As long as your <LimitExcept> block is within a context that's valid for the Allow/Deny directives, then it will work just fine.

If you try putting even a naked Deny rule directly in the <VirtualHost> context, you'll see that it's denied in the same way - <VirtualHost> with a Deny in it is not allowed, so neither adding a <LimitExcept> between them.

But, the trick is that <LimitExcept>, and some other block types like <IfModule>, do not modify the context of a directive; you'll never see "limit" in the list of acceptable contexts in the documentation for a directive.

There's are only four contexts that can dictate whether a directive is allowed:

In the case of the mod_authz_host directives (Order, Allow, and Deny), they're allowed only in directory and htaccess contexts, so they'll always error when they're not in one.

In your case, there's no filesystem location for this reverse-proxy vhost, so you'll want to use a <Location> block (which is a valid context for Allow/Deny because it's of the directory context type):

<Location />
Order allow,deny
Allow from all
<LimitExcept HEAD POST GET>
Deny from all
</LimitExcept>
</Location>

Oh, and get rid of that <Proxy *> block, as it's not doing anything - the <Location> takes precedence over it anyway, but it's in conflict with the <LimitExcept>'s restrictions.. so it makes me nervous.